googleapis
Security Vulnerability: Uncontrolled Resource Consumption in @grpc/grpc-js (introduced via @google-cloud/pubsub & @google-cloud/logging-winston)
Overview: A security vulnerability (https://github.com/advisories/GHSA-7v5v-9h63-cj86) has been detected in @grpc/grpc-js, affecting projects that use @google-cloud/pubsub and @google-cloud/logging-winston. The vulnerability is related to uncontrolled resource consumption (CWE-789) and has a CVSS score of 6.9 (Medium severity).
Vulnerability Details:
Package Affected: @grpc/grpc-js Introduced via: @google-cloud/[email protected] @google-cloud/[email protected] CWE ID: [CWE-789](https://cwe.mitre.org/data/definitions/789.html) CVE ID: [CVE-2024-37168](https://nvd.nist.gov/vuln/detail/CVE-2024-37168) Exploit Maturity: No known exploits, but potential for excessive CPU/memory consumption. Fixed in Versions: @grpc/[email protected], 1.9.15, 1.10.9 Impact: This vulnerability can lead to uncontrolled resource consumption, which may degrade performance or cause availability issues under certain conditions.
Steps to Reproduce:
Install @google-cloud/[email protected] or @google-cloud/[email protected]. Run npm audit or snyk test to detect the vulnerability. Observe that @grpc/grpc-js is flagged with https://github.com/advisories/GHSA-7v5v-9h63-cj86. Suggested Fix:
Upgrade @grpc/grpc-js to 1.10.9 or higher in @google-cloud/pubsub and @google-cloud/logging-winston. If possible, remove unnecessary dependencies on vulnerable versions. Next Steps: Can you confirm if a patch is planned for upcoming releases of @google-cloud/pubsub and @google-cloud/logging-winston to use the latest safe version of @grpc/grpc-js?
Looking forward to your response. Thanks for your help!
cc@ran2207
